A new and sophisticated malware campaign, dubbed ‘CRESCENTHARVEST’, has been identified, leveraging the ongoing geopolitical unrest in Iran to target dissidents and protest supporters. This cyberespionage operation employs social engineering tactics to deploy a dual-purpose threat capable of functioning as both a remote access trojan (RAT) and an advanced information stealer. The attackers aim to compromise specific targets by impersonating legitimate protest-related content, thereby gaining trust and unauthorized access to sensitive computer systems.
The infection chain begins with an archive file that appears to contain authentic media and reports concerning the current protests. Within this package, victims encounter malicious .LNK files, disguised as video or image files. For example, one such file might be named VID_20260114_000556_609.mp4.lnk. When executed, these shortcut files trigger a hidden sequence that deploys the malware payload while simultaneously displaying the expected decoy content to avoid raising suspicion. This technique effectively bypasses initial security scrutiny by blending malicious indicators with genuine Farsi-language documents.
CRESCENTHARVEST: Bypassing Security with DLL Sideloading and Exploiting Protest Sentiment
Acronis analysts have reported that the malware utilizes a technique known as DLL sideloading. This method involves the exploitation of a legitimate, signed Google executable, specifically software_reporter_tool.exe, to load malicious libraries. This allows the threat actors to execute commands remotely, capture keystrokes, and exfiltrate critical data, including browser credentials and Telegram session files. The primary objective of this campaign appears to be long-term surveillance and intelligence gathering on individuals sympathetic to the opposition movement.
The operational sophistication of CRESCENTHARVEST suggests the involvement of a well-resourced adversary, likely aligned with Iranian state interests. By embedding the malware within content that resonates emotionally with the target audience, the attackers significantly increase the likelihood of a successful infection. Furthermore, the malware’s modular design allows it to adapt to various environments, ensuring its ability to harvest extensive data while maintaining a low profile on the victim’s machine. This targeted approach highlights the growing trend of politically motivated cyberattacks.
Evasion of App-Bound Encryption
A notable technical characteristic of CRESCENTHARVEST is a specialized module designed to circumvent Chrome’s App-Bound Encryption. The malicious DLL, identified as urtcbased140d_d.dll, functions as a sophisticated implant that directly interacts with the browser’s internal COM interfaces to facilitate data theft. Instead of merely copying files, this module constructs a browser context structure that legitimately requests decryption services from the operating system, thereby bypassing standard protection mechanisms.
This evasion technique involves locating the Local State file within the user’s AppData directory to extract the encrypted key. It then employs the CoCreateInstance function to instantiate an elevated COM broker. This process effectively deceives the system into decrypting the sensitive key. Once decrypted, this information is exfiltrated via a named pipe to the main backdoor module, enabling the attackers to unlock and steal saved login credentials, cookies, and browsing history from the compromised system.
To mitigate such threats, cybersecurity experts recommend that users employ hardware security keys and exercise extreme caution with unsolicited files received through email or other communication channels. Organizations are advised to monitor their networks for unusual COM object instantiations and to strictly validate signed binaries. Such measures are crucial for effectively detecting and defending against this sophisticated evasion technique. The ongoing nature of cyber threats targeting politically sensitive events underscores the importance of continuous vigilance and the adoption of robust security practices by both individuals and organizations.